C skills

Stealth, I can only say that I had no clue you did...

2009-12-01T03:37:13.119-08:00

Stealth, I can only say that I had no clue you did find the bug before me, maybe i embodied magical powers? :) Great work anyways.

Excellent work :-) you can also measure the entrop...

2009-11-16T12:33:50.108-08:00

Excellent work :-) you can also measure the entropy of certain places in the heap before trying to find the SSL structures. I think this would reduce the number of the memory areas under suspicion.

Hail! Well, I keep an eye on openbsd-bugs but I w...

2009-11-05T13:39:00.964-08:00

Hail!

Well, I keep an eye on openbsd-bugs but I would never post about undisclosed vulnerabilities so it's not entirely on my hand. :)

Uhm, why don't you write about OpenBSD bugs, inste...

2009-11-02T09:30:16.101-08:00

Uhm, why don't you write about OpenBSD bugs, instead of shove the work to xorl? someone else can do an equally good job if they cared enough to.

Pls remember to delete also *.so and inject in the...

2009-10-16T09:38:00.861-07:00

Pls remember to delete also *.so and inject in the next version in Makefile

clean:
rm -rf *.o *.so inject

It'd work for 32bit the same way, but this version...

2009-10-15T01:38:19.452-07:00

It'd work for 32bit the same way,
but this version only handles
64bit registers and x86-64 ABI.

Excellent! Does this work with 32bit, or only 64bi...

2009-10-14T09:39:39.503-07:00

Excellent! Does this work with 32bit, or only 64bit???

Yes, the !start check is useless; it can never be ...

2009-10-11T23:57:55.289-07:00

Yes, the !start check is useless;
it can never be NULL except you
are really close to the end
of address.
So, the "funny" thing to me
(I have my own weird humor :) was
that it couldnt be NULL for
two reasons; the +1 and the
while() condition; but its
checked nevertheless; at a time
where the whole world was discussing NULL ptr derefs.
This happened since the line was copied from
other parts of the code where the
check made sense (not shown in the snippet) and this C&P coding was
leading to a remote crash later;
since it actually accessed *start then
with start being 1.

I don't see the problem aswell, but it might just ...

2009-10-11T12:20:47.460-07:00

I don't see the problem aswell, but it might just be me being lame.

Under the assumptions that start is a pointer to a null-terminated bunch of characters (which might also be of size 0) and that NULL is defined to 0 (which should be the case almost everywhere) I don't think there is a NULL ptr dereference anywhere nor any other bug. Beside that the !start check seems pretty useless.

An idea I thought of was start being NULL, then start + 1 would point to address 1 and get dereferenced by !*start. But that obviously doesn't happen since if there is no '<' strchr() returns NULL and the body of the while loop does not get executed at all.

So what did I miss?

--fiction

Yes, indeed. There's a 403 Forbidden on the file. ...

2009-10-06T10:13:38.196-07:00

Yes, indeed. There's a 403 Forbidden on the file. Please change the permissions!

You can't enable CONFIG_WHATEVER on already runnin...

2009-09-29T23:54:44.477-07:00

You can't enable CONFIG_WHATEVER on
already running kernels.You have to
work with what you got, therefore needing
to make certain pages writable.

And sure; we can publish attack code :)

wut wut it has everything to do with CONFIG_DEBUG...

2009-09-29T12:05:41.319-07:00

wut wut

it has everything to do with CONFIG_DEBUG_RODATA being on or off

just use WP toggling like you should have been doing years ago

I thought you germans couldn't publish attack code...

2009-09-29T12:09:11.352-07:00

I thought you germans couldn't publish attack code!

Awesome! :)

2009-09-26T09:38:27.316-07:00

Awesome! :)

Wow, wtf! Thanks for catching this.

2009-09-22T11:21:57.072-07:00

Wow, wtf! Thanks for catching this.

Hello there, I finally found some time to read th...

2009-09-21T18:51:59.350-07:00

Hello there,

I finally found some time to read the PSC code. Very nice! I was recently thinking that this idea can be used in a shellcode, but instead of porting all that stuff to ASM, one can spawn /usr/bin/python instead of /bin/bash and then use the python ctypes FFI (described at my blog at http://decepticonpunk.wordpress.com/2009/09/17/python-in-noexec-land/) to create crypto tunnels and pty sessions. Actually, I haven't tested it yet, and probably I won't test it until the next time I'll need a shellcode. This may result in both less forensic evidence (since python is interpreted on-the-fly) and fully private connections.

Keep up the cool posts!
./hk

Nice idea for a "generic auto_ptr". I will try thi...

2009-09-04T09:25:09.409-07:00

Nice idea for a "generic auto_ptr". I will try this in my next C++ project :)

BTW: Same applies to sockets.

nice, reminds me of -finstrument-functions :)

2009-09-04T09:17:12.899-07:00

nice, reminds me of -finstrument-functions :)

And for those of us who think C++ is evil, you can...

2009-09-04T08:06:21.803-07:00

And for those of us who think C++ is evil, you can do something like

#define scoped __attribute__((cleanup(cleanup)))

scoped void *foo;

To call cleanup(&foo) when foo goes out of scope, obviously without evil templates you must define different qualifiers for different types :-)

Awesome! thanks!

2009-08-28T07:44:56.954-07:00

Awesome! thanks!

http://www.doecirc.energy.gov/bulletins/t-217.shtm...

2009-08-27T03:40:09.149-07:00

http://www.doecirc.energy.gov/bulletins/t-217.shtml
can u explain how to trigger that vuln coz i cant fully understand it
thanks :)

Unfortunately mmap() not working when trying to ma...

2009-08-17T06:31:30.871-07:00

Unfortunately mmap() not working when trying to map the first page is not a security boundary.
IIRC, here, it's just a side effect of the PT_LOAD executable segment being mapped so low in the address space by default on ARM.

You can easily bypass this restriction by crafting a special ELF file, using mremap, or with other techniques I won't describe here.

I believe Zinx used the former in his exploit.

quite a bit of magic ;) -spender

2009-08-15T14:27:28.884-07:00

quite a bit of magic ;)

-spender

Oh thanks.That makes me proud, especially to hear ...

2009-07-31T01:25:11.209-07:00

Oh thanks.That makes me proud, especially
to hear that from the pulseaudio
guys.A bug that was designed to
be found by me, but we do not ship it
setuid. :-)

Congratulations, it was an awesome find.

2009-07-30T09:02:37.365-07:00

Congratulations, it was an awesome find.